Cancelable biometrics refers to the intentional and systematically repeatable distortion of biometric features in order to protect sensitive user-specific data. If a cancelable feature is compromised, the distortion characteristics are changed, and the same biometrics is mapped to a new template, which is used subsequently. Cancelable biometrics is one of the major categories for biometric template protection purpose besides biometric cryptosystem.

Contents

Introduction

Although biometrics is a powerful tool against repudiation and has been widely deployed in various security systems, biometric characteristics are largely immutable, resulting in permanent biometric compromise when a template is stolen. The concept of cancelable biometrics was introduced to make a biometric template can be cancelled and be revoked like a password, as well as being unique to every application. Cancelable biometrics requires storage of the distorted version of the biometric template which provide high privacy level by allowing multiple templates to be associated with the same biometric data. This helps to promote non-linkability of user’s biometric data stored across various databases.

Objectives

Four objectives of designing a cancelable biometric scheme are as followed:

Diversity: No same cancelable features can be used across various applications, therefore a large number of protected templates from same biometric feature is required.

Reusability/Revocability : Straightforward revocation and reissue in the event of compromise.

Non-invertibility: Non-invertibility of template computation to prevent recovery of original biometric data.

Performance: The formulation should not deteriorate the recognition performance.

Methods

The first attempt towards this direction was recorded by Soutar et al. (1998) but the concrete idea of cancelable biometrics was furnished by Bolle et al. (2002). This area is growing rapidly and numerous new techniques have been proposed since then. The methods generally fall into two categories: (1) Biometric Salting and (2) Non-invertible Transforms.

A distinct advantage of cancelable biometric compare to other biometric template techniques such as biometric cryptosystem is that the transformed biometrics can remain in the same feature space of the original ones, so that the same matcher can be used for authentication.

Biometric Salting

Figure 1: Block diagram of Biometric Salting.

Biometric salting resembles to password salting in cryptography, which consists of random bits r used as the input factor to be concatenated with a secret key, \(k\ .\) The output is often stored as hash \(H(r+k)\) in the database. Biometric salting follows the same principle such that a user-specific and independent input factor (auxiliary data such as a password or user-specific random numbers) is blended with biometric data to derive a distorted version of the biometric template. Since the auxiliary data is externally derived and interact directly with biometric data, it can be changed and revoked easily but must be kept secretly for maximum security protection. However, since the external confidential keys or passwords are easily to be lost, stolen or compromised, the accuracy and vulnerabilities of existing schemes should be justified (Kong et al., 2008).

An instance of biometric salting, namely biohashing, which is based on user-specific random projection was proposed by Teoh et al. (2004, 2006). A user-speciﬁc random matrix R with size \(r\) x \(c\) is generated from the auxiliary data, and the Gram-Schmidt orthonormalization is carried out such that \(c\) columns of R are orthonormal. The extracted feature vector x is then projected with y = RTx, and y is thresholded by bi = 0, if yi < τ, and bi = 1, otherwise for \(i\) = 1, 2, …,\(c\ ,\) where τ is a prefix threshold which is usually set to 0. The binary vector b is stored as the template. The formulation with its optimal setting has been examined with several biometric modalities such as fingerprint, iris, palm print, speech and face with nearly zero error rates. However, Biohash performance degrades substantially in the stolen-token scenario when a genuine user token is “stolen” and utilized by an imposter for the verification purpose. Besides that, the non-invertibility of biohashing could be jeopardized if both y and R are known and if ratio of r/c is near to 1. This is because biohashing is essentially a quantized under-determined linear equation system, which could be solved partially via pseudo-inverse operation.

Savvides et al. (2004) proposed another instance of biometric salting method which encrypts the training images by synthesizing a correlation filter for face recognition. They showed that different templates can be obtained from the same biometrics by varying the random convolution kernels thus enabling cancelable templates. Note that the random kernels were generated from different random matrices created using a user-specific PIN. Their results demonstrated that convolving the training images with any random convolution kernel prior to building the biometrics filter does not change the resulting correlation output peak-to-side-lobe ratios thus preserving existing performance. However, the security could be jeopardized via a deterministic deconvolution with a known random kernel. An enhancement of cancelable correlation filter encryption was reported by Hirata and Takahashi (2009). It was shown that the security is heighten by applying Number Theoretic Transform, a Fourier-like transform over a finite field, into biometric data before random kernel convolution.

Jeong et al. (2006) proposed a biometric salting scheme for appearance-based face template. Two feature vectors were extracted with PCA (Principal Component Analysis) and ICA (Independent Component Analysis) from a face image, and these vectors Italic text
were normalized. The resulting vectors were then permuted using a token-derived permutation matrix and fused in the feature level via SUM rule. If this was compromised, a new feature vector can be generated by changing the permutation matrix.

For fingerprint minutiae, Lee et al. (2007) introduced the translation and rotation invariant values, which were extracted using orientation information around each minutia. These values were then used as the inputs for two user-specific transformation functions which were responsible in generating translational and rotational parameters. The cancelable templates were then constructed by changing each minutia in accordance to the said parameters. When a cancelable template was compromised, new template can be regenerated by replacing the transformation functions.

Farooq et al. (2007) presented a method by converting the fingerprint minutiae into a cancelable bitstring, without registration or pre-alignment. The idea is based on the fact that fingerprints can be represented by a set of triangles derived from sets of three minutiae that can be used directly in template-based matching. The proposed method is proven to be computational irreversible and satisfies the criteria of reusability and diversity. Note that the reusability is achieved by assigning a unique key to each user in the database to randomize the user template, and in the event of being compromised, the biometric template can be revoked by simply assigning a different key.

Non-invertible Transforms

In Non-invertible transformation, a many-to-one function, \(f\) is designed to modify a raw biometric image intentionally into a new form within the context of feature or signal space. The function \(f\) serves as an agent in the context of template security allowing for template non-invertibility, reusability and diversity. Since \(f\) does not have direct interaction with raw biometrics, the main advantage of this approach is that \(f\) does not need to be kept secret.

A realization of non-invertible transform was reported by Ratha et al. in (2007) wherein fingerprint data is transformed by a sequence of three non-invertible transformation functions. As shown in figure 2, the three transformation functions are based on Cartesian, polar and surface folding transformation of the minutiae positions.

In the Cartesian transformation, the fingerprint minutiae space is tessellated into a rectangular grid with reference to positions of singular points. Note that each cell, which possibly contains some minutiae, is shifted to a new position by a non-invertible transform, but retain within their relative position to maintain the status-quo of intra-class variability. The polar transformation is similar to the Cartesian transformation with the only difference being that the image is now tessellated into polar sectors. Since the size of sectors can be different according to their location, the translation vector generated from the random key are used to control the radial distance of the transformed sectors so that there are not very different each others.

In surface folding transformation, a mixture of 2D Gaussians and 2D electric potential field random charge distributions are used to translate the minutiae points. Since the transformations used in the mixture are locally smooth, this will only have a minimal effect on the error rates and will not reduce the discriminability of minutiae to any large extent when compared to the previous two transforms. Nevertheless, as a small change in minutiae position of the original fingerprint can lead to a large change post transformation especially if the point crosses a sharp boundary, proper pre-alignment with reference to the position of the core point is required to ensure that the biometric feature is transformed consistently across multiple instances of minutiae.

In general, all the three transformation functions allow more than one minutia to be mapped to the same point (many-to-one mapping) in the transform domain. For example, in the Cartesian transformation, two or more cells can be mapped onto a single cell so that even if an adversary knows the key and hence the transformation between cells, he cannot determine the original cell to which a minutia belongs because each minutia can independently belong to one of the possible cells. Hence, the method provides a certain extent of non-invertibility to the resulting template.

However, Feng, et al. (2008a) reasoned that the above transforms and the parameters chosen could degenerate the many-to-one mapping property, in which the non-invertible functions rely to, and resulted in recovering of original biometric features. Shin, et al. (2009) showed that the surface folding transform could be inverted if two transformed templates originating from the same fingerprint are compromised.

Tulyakov et al. (2005) presented a method of hashing ﬁngerprint minutiae information and performing ﬁngerprint matching in a new domain. It is computationally hard to reconstruct original features with resulting hash values due to one-way transformation characteristic of hashing function. In case hash values are compromised, user will be re-enrolled with new hash function, hence both non-invertibility and reusability requirements are satisfied. Diversity can also be attained since different hash functions are used for old compromised hash values and new hash values.

Along the same line, Ang et al. (2005) proposed a geometric transformation to generate a key-dependent non-invertible cancelable template for fingerprint minutiae. In the proposal, a core point of a fingerprint image is first located, and then a line through the core point is specified. Since the angle of the line depends on the key transformation function, where the value can be set in the range of 0 ≤ key ≤ π, thus different transformed fingerprint templates can be obtained by simply changing the key value. However, since the minutiae above the line are reflected symmetrically below the line, the transformed template still retains some information of the original template. In addition, both techniques could not preserve the performance due to query alignment issue.

Maiorana et al. (2009) proposed a non-invertible transformation scheme targets to sequence based biometrics such as dynamic handwritten signature. The basic idea is to segment (from at least one sample) online signature feature into several chunks whereby the length of chunks is determine by a set of random integers. The segmented chunks are then convoluted to form a new transformed feature which satisfies the reusability, diversity, non-invertibility and performance requirements. Nanni et al. (2010) showed that different matchers trained using cancelable templates could be combined for improving the performance of a secure on-line signature verification.

Remarks

Cancellable biometrics offers a solution for preserving user privacy since the user’s true biometric is never reveal in the authentication process. It ensures that template protection is achieved at the feature level with the assistance of the auxiliary data/non-invertible transforms. On the other hand, cancellable biometrics has certain limitations that need to be taken into account. For instance in biometric salting design, the template may not longer secure when the auxiliary data is compromised. For non-invertible transforms, non-invertibility enhances the security of the template space by employing a transformation process to reset the order or position of the feature set. However, this weakens the discriminatory power (performance) of the transformed features due to the enlargement of intra-class variation in the biometrics. In this context, if performance is the main concern in the design of a biometric system, then the system is expected to be lacking in randomness as required for the design of a secure and unpredictable template space. Hence, it is very challenging to design a non-invertible function that satisfies both performance and non-invertibility requirements.